* scheme update
This commit is contained in:
197
providers/provider-family-aws/resources/organization/README.md
Normal file
197
providers/provider-family-aws/resources/organization/README.md
Normal file
@@ -0,0 +1,197 @@
|
||||
# AWS Organization with Crossplane - File Structure
|
||||
|
||||
## Directory Structure
|
||||
|
||||
```
|
||||
aws-crossplane-infrastructure/
|
||||
├── 01-prerequisites/
|
||||
│ ├── namespace.yaml
|
||||
│ ├── secret.yaml
|
||||
│ └── provider-config.yaml
|
||||
├── 02-organization/
|
||||
│ ├── organization.yaml
|
||||
│ ├── organizational-units.yaml
|
||||
│ └── accounts.yaml
|
||||
├── 03-policies/
|
||||
│ ├── scp-deny-leave-org.yaml
|
||||
│ ├── scp-restrict-regions.yaml
|
||||
│ └── policy-attachments.yaml
|
||||
├── 04-self-service/
|
||||
│ ├── xrd-aws-account.yaml
|
||||
│ ├── composition-aws-account.yaml
|
||||
│ └── README.md
|
||||
├── 05-rbac/
|
||||
│ ├── role-account-claim-creator.yaml
|
||||
│ └── rolebindings.yaml
|
||||
└── 06-examples/
|
||||
├── claim-frontend-dev.yaml
|
||||
├── claim-backend-prod.yaml
|
||||
└── claim-data-qa.yaml
|
||||
```
|
||||
|
||||
## File Descriptions
|
||||
|
||||
### 01-prerequisites/
|
||||
|
||||
**namespace.yaml**
|
||||
- Creates the `aws-organization` namespace
|
||||
- Where all organization infrastructure lives
|
||||
|
||||
**secret.yaml**
|
||||
- Stores AWS credentials
|
||||
- Used by ProviderConfig
|
||||
|
||||
**provider-config.yaml**
|
||||
- Configures the AWS provider
|
||||
- References the credentials secret
|
||||
|
||||
### 02-organization/
|
||||
|
||||
**organization.yaml**
|
||||
- Creates the AWS Organization
|
||||
- Enables necessary AWS services
|
||||
- Configures policy types
|
||||
|
||||
**organizational-units.yaml**
|
||||
- Creates Production OU
|
||||
- Creates Non-Production OU
|
||||
- Creates Management OU
|
||||
|
||||
**accounts.yaml**
|
||||
- Creates aws-prod account
|
||||
- Creates aws-dev account
|
||||
- Creates aws-qa account
|
||||
|
||||
### 03-policies/
|
||||
|
||||
**scp-deny-leave-org.yaml**
|
||||
- Service Control Policy
|
||||
- Prevents accounts from leaving organization
|
||||
|
||||
**scp-restrict-regions.yaml**
|
||||
- Service Control Policy
|
||||
- Restricts allowed AWS regions
|
||||
|
||||
**policy-attachments.yaml**
|
||||
- Attaches SCPs to Organizational Units
|
||||
- Links policies to accounts/OUs
|
||||
|
||||
### 04-self-service/
|
||||
|
||||
**xrd-aws-account.yaml**
|
||||
- Composite Resource Definition
|
||||
- Defines the API for account claims
|
||||
- Specifies available fields
|
||||
|
||||
**composition-aws-account.yaml**
|
||||
- Composition logic
|
||||
- Maps claim fields to AWS resources
|
||||
- Handles account creation automation
|
||||
|
||||
**README.md**
|
||||
- Documentation for teams
|
||||
- How to request an account
|
||||
- Examples and usage
|
||||
|
||||
### 05-rbac/
|
||||
|
||||
**role-account-claim-creator.yaml**
|
||||
- Kubernetes Role
|
||||
- Permissions to create claims
|
||||
|
||||
**rolebindings.yaml**
|
||||
- Binds roles to teams
|
||||
- Per-namespace access control
|
||||
|
||||
### 06-examples/
|
||||
|
||||
**claim-frontend-dev.yaml**
|
||||
- Example claim for frontend team
|
||||
- Development environment
|
||||
|
||||
**claim-backend-prod.yaml**
|
||||
- Example claim for backend team
|
||||
- Production environment
|
||||
|
||||
**claim-data-qa.yaml**
|
||||
- Example claim for data team
|
||||
- QA environment
|
||||
|
||||
## Installation Order
|
||||
|
||||
Apply files in this order:
|
||||
|
||||
```bash
|
||||
# 1. Install provider first (do this manually)
|
||||
kubectl crossplane install provider \
|
||||
xpkg.upbound.io/upbound/provider-aws-organizations:v2.2.0
|
||||
|
||||
# 2. Apply prerequisites
|
||||
kubectl apply -f 01-prerequisites/
|
||||
|
||||
# 3. Wait for provider to be ready
|
||||
kubectl wait --for=condition=healthy provider.pkg.crossplane.io/provider-aws-organizations
|
||||
|
||||
# 4. Create organization structure
|
||||
kubectl apply -f 02-organization/organization.yaml
|
||||
# Wait for organization to be created
|
||||
kubectl wait --for=condition=ready organization.organizations.aws.m.upbound.io/my-organization -n aws-organization
|
||||
|
||||
# 5. Get root ID and update OUs
|
||||
ROOT_ID=$(kubectl get organization my-organization -n aws-organization -o jsonpath='{.status.atProvider.roots[0].id}')
|
||||
# Update the parentId in organizational-units.yaml with this ROOT_ID
|
||||
|
||||
# 6. Create OUs
|
||||
kubectl apply -f 02-organization/organizational-units.yaml
|
||||
|
||||
# 7. Create accounts
|
||||
kubectl apply -f 02-organization/accounts.yaml
|
||||
|
||||
# 8. Apply policies
|
||||
kubectl apply -f 03-policies/
|
||||
|
||||
# 9. Set up self-service
|
||||
kubectl apply -f 04-self-service/
|
||||
|
||||
# 10. Set up RBAC
|
||||
kubectl apply -f 05-rbac/
|
||||
|
||||
# 11. Teams can now create claims!
|
||||
kubectl apply -f 06-examples/
|
||||
```
|
||||
|
||||
## Monitoring Commands
|
||||
|
||||
```bash
|
||||
# Check all resources
|
||||
kubectl get managed -n aws-organization
|
||||
|
||||
# Check specific resources
|
||||
kubectl get organization -n aws-organization
|
||||
kubectl get organizationalunit -n aws-organization
|
||||
kubectl get account -n aws-organization
|
||||
kubectl get policy -n aws-organization
|
||||
|
||||
# Check claims (in team namespaces)
|
||||
kubectl get awsaccountclaim -A
|
||||
|
||||
# Debug a specific resource
|
||||
kubectl describe account aws-prod -n aws-organization
|
||||
```
|
||||
|
||||
## GitOps Structure (Optional)
|
||||
|
||||
If using ArgoCD/Flux:
|
||||
|
||||
```
|
||||
├── base/
|
||||
│ ├── 01-prerequisites/
|
||||
│ ├── 02-organization/
|
||||
│ ├── 03-policies/
|
||||
│ └── 04-self-service/
|
||||
└── overlays/
|
||||
├── dev/
|
||||
│ └── kustomization.yaml
|
||||
└── prod/
|
||||
└── kustomization.yaml
|
||||
```
|
||||
Reference in New Issue
Block a user